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ICO consultation on the draft right of access guidance 


The right of access (known as subject access) is a fundamental right of the 
General Data Protection Regulation (GDPR). It allows individuals to find out what 
personal data is held about them and to obtain a copy of that data. Following on 
from our initial GDPR guidance on this right (published in April 2018), the ICO 
has now drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the obligations on 
controllers. The draft guidance also explores the special rules involving certain 
categories of personal data, how to deal with requests involving the personal 
data of others, and the exemptions that are most likely to apply in practice 
when handling a request. 


We are running a consultation on the draft guidance to gather the views of 
stakeholders and the public. These views will inform the published version of the 
guidance by helping us to understand the areas where organisations are seeking 
further clarity, in particular taking into account their experiences in dealing with 
subject access requests since May 2018. 


If you would like further information about the consultation, please email 


SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 2020. 
Privacy statement 


For this consultation, we will publish all responses received from organisations 
but we will remove any personal data before publication. We will not publish 
responses received from respondents who have indicated that they are an 
individual acting in a private capacity (e.g. a member of the public). For more 
information about what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with our work on 
the right of access only. The information will not be used to consider any regulatory 
action, and you may respond anonymously should you wish. 


Please note that we are using the platform Snap Surveys to gather this 
information. Any data collected by Snap Surveys for ICO is stored on UK 


servers. You can read their Privacy Policy. 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
O Yes 
X No 


CL} Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


The following matters are not dealt with by the guidance: 


Duty of confidentiality exemption - The draft guidance builds on the pre-existing 
guidance regarding the /egal professional privilege exemption (Data Protection Act 
2018 Schedule 2, Part 4, paragraph 19 (a)). However, no guidance is provided for 
the new exemption in paragraph 19 (b): information in respect of which a duty of 
confidentiality is owed by a professional legal adviser to a client of the adviser. 
This new exemption is distinct from and broader in its potential application to that 
relating to legal privilege, reflecting the broad confidentiality obligations owed by 
legal professionals, even when legal privilege is not engaged, and should be 
covered by the guidance. 


“Manifestly unfounded or excessive” - The ICO does not address whether public 
bodies subject to FOIA/EIR may take prior FOI/EIR requests, or correspondence 
made as part of any such FOI/EIR requests, or any determination that the 
requestor has made vexatious requests into account when determining whether or 
not the subject access request is manifestly unfounded? 


Where the data subject already has the information - The ICO does not comment 
on whether information that has already been seen by and/or is in the possession 
of the requester (e.g. because they are in copy of the relevant email) must always 
be provided to the requester again, or whether it may be reasonable for such 
information to be withheld. 


Does the draft guidance contain the right level of detail? 
[Tl Yes 
X No 
O Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail within the 
draft guidance? 


Further detail would be welcome in relation to the following points: 


“When is a request complex?” (page 18) - The ICO does not make clear whether 
or not the receipt of a request as part of a bulk coordinated set of requests could 
be a factor which adds to the complexity of each single request? 


“How should we deal with bulk requests?” (page 22) - The guidance should make 
clear that the third party’s authorisation to make a subject access request on 
behalf of an individual needs to be specific to the scope of the subject access 
request, and not merely part of a broader authority to act. 


“Can we clarify the request?” (page 23) - The ICO does not make sufficiently clear 
the distinction between “narrowing the scope” of the request (which is not 
permitted) and “clarifying the request” (which is permitted)? 


“A request may be manifestly unfounded if: ...the individual clearly has no intention 
to exercise their right of access. For example an individual makes a request, but 
then offers to withdraw it in return for some form of benefit from the organisation” 
(page 35) - The guidance does not explain what “clearly” means. In addition, the 
guidance does not address the scenario where individuals have agreed not to 
pursue their subject access requests as part of a settlement agreement in the 
context of an employment dispute. 


“Negotiations with the requester” (page 55-56) - The ICO does not explain exactly 
what it means by “negotiations”, for example whether the “without prejudice” rule 
needs to be in play. 


Q3 Does the draft guidance contain enough examples? 


O Yes 
x No 
O Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you think should be 
included in the draft guidance. 


In addition to the areas of guidance we have highlighted elsewhere, more examples 
would be welcomed in respect of what would be considered to be “Management 
information” (page 55). 


Q4 We have found that data protection professionals often struggle with 
applying and defining ‘manifestly unfounded or excessive’ subject access 
requests. We would like to include a wide range of examples from a variety 
of sectors to help you. Please provide some examples of manifestly 


unfounded and excessive requests below (if applicable). 


See response to Question 8 below. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very 
useful useful useful useful 
E] O EJ 


Q6 Why have you given this 
score? 


5 - Extremely 
useful 
O 


Q7 To what extent do you agree that the draft guidance is clear and easy to 
understand? 


Strongly Disagree Neither agree Agree Strongly agree 
disagree nor disagree 
O 0 O O 


Q8 Please provide any further comments or suggestions you may have about 
the draft guidance. 


On page 22, the guidance expressly states that “if a request is made by a third party 
on behalf of an individual, the behavior of the third party should not be taken into 
account in determining whether a request is manifestly unfounded or excessive”. Our 
view is that the behavior of the third party should be taken into account as needed to 
ascertain whether the request is a legitimate and genuine exercise of an individual’s 
right of access, or whether the request is made as part of a fishing expedition to 
extract information for the commercial gain of the third party - and the guidance 
should be revised in this respect. 


Q9 Are you answering as: 


LJ An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Eversheds Sutherland (International) LLP 
What sector are you from: 


Legal 


Q10 How did you find out about this survey? 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 


Xk üü gð 


OO 


Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


E a tae e 


Thank you for taking the time to complete the survey. 


